Created
February 3, 2016 15:18
-
-
Save arantius/b57b7c0fc467237d0062 to your computer and use it in GitHub Desktop.
Test script for online edit of `.user.js` files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<? | |
//////////////////////////////////////////////////////////// | |
// This proof of concept script is FULL OF SECURITY ISSUES. | |
// Don't use it, don't install it, don't expose it anywhere. | |
//////////////////////////////////////////////////////////// | |
// Context: https://github.com/greasemonkey/greasemonkey/issues/2280 | |
//////////////////////////////////////////////////////////// | |
if (isset($_POST['file'])) { | |
$fp = fopen($_GET['file'], 'wb'); | |
fwrite($fp, $_POST['content']); | |
fclose($fp); | |
header('Location: ' . $_SERVER['SCRIPT_NAME']); | |
exit; | |
} else if (isset($_GET['mode']) && 'install' == $_GET['mode']) { | |
$fp = fopen($_GET['file'], 'rb'); | |
header('Content-type: text/plain'); | |
header('Content-length: ' . filesize($_GET['file'])); | |
fpassthru($fp); | |
exit; | |
} | |
header('Content-type: text/html'); | |
?> | |
<!DOCTYPE html> | |
<html> | |
<head> | |
<title>Script Editor</title> | |
</head> | |
<body> | |
<? | |
if (isset($_GET['file'])) { | |
print "<form method='post' action='?save&file={$_GET['file']}'>"; | |
print "<input type='hidden' name='file' value='{$_GET['file']}'>"; | |
print "<textarea rows=20 cols=80 name='content'>"; | |
$fp = fopen($_GET['file'], 'rb'); | |
print htmlspecialchars(fread($fp, filesize($_GET['file'])), ENT_QUOTES); | |
print "</textarea><br>"; | |
print "<input type='submit' value='Save'>"; | |
print "</form>"; | |
print "<hr>"; | |
print "<a href='?file={$_GET['file']}'>Edit</a> "; | |
print "<a href='?mode=install&file={$_GET['file']}'>Install</a> "; | |
} else { | |
print '<ul>'; | |
foreach (glob('*.user.js') as $filename) { | |
print "<li>$filename "; | |
print "<a href='?file=$filename'>Edit</a> "; | |
print "<a href='?mode=install&file=$filename'>Install</a> "; | |
print "</li>"; | |
} | |
print "<li><form>New file: <input type='text' name='file'><input type='submit'></form</li>"; | |
print "</ul>"; | |
} | |
?> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment